Video Screencast Help
Security Response
Showing posts in English
Zulfikar Ramzan | 10 Jul 2006 07:00:00 GMT | 0 comments

The development of interfaces for trustworthy information has not progressed at the same rate as computing technology in general. Today we enter passwords using a text-based interface that we assume is trustworthy, much like what we did thirty-plus years ago.

On June 19, 2006 I attended (and gave a talk at) the TIPPI Workshop that was held on the Stanford University campus. TIPPI stands for “Trustworthy Interfaces for Passwords and Personal Information”. The workshop brings together people who design security schemes with those who build user interfaces. The goal is to help solve the problem of designing trustworthy user interfaces, which has specific implications for fighting online fraud, especially when it comes to phishing.

There has been considerable progress in designing protocols for secure password authentication. For example, password authenticated key exchange (PAKE)...

Candid Wueest | 07 Jul 2006 07:00:00 GMT | 0 comments

The amount of email I have received lately regarding "making easy money from home" has increased tremendously. These “job offers” all have two things in common; you are required to have an online bank account and you must be able to check email frequently. In return for these requirements there are promises that large amounts of money can be made, usually five to ten percent in commission for every payment forwarded to the company headquarters.

To make it even more convincing, fake companies are created and complete Web sites with job offers and background information are generated. Interested parties receive convincing job offers with social benefits and health care plans. So, what's behind it? As you have probably guessed by now, these are recruitment emails from phishers. They are constantly searching for "money mules" that will receive payments from stolen accounts and then transfer the cash back to the real attacker. Many phishers are swimming in...

Candid Wueest | 07 Jul 2006 07:00:00 GMT | 0 comments

The amount of email I have received lately regarding "making easy money from home" has increased tremendously. These “job offers” all have two things in common; you are required to have an online bank account and you must be able to check email frequently. In return for these requirements there are promises that large amounts of money can be made, usually five to ten percent in commission for every payment forwarded to the company headquarters.

To make it even more convincing, fake companies are created and complete Web sites with job offers and background information are generated. Interested parties receive convincing job offers with social benefits and health care plans. So, what's behind it? As you have probably guessed by now, these are recruitment emails from phishers. They are constantly searching for "money mules" that will receive payments from stolen accounts and then transfer the cash back to the real attacker. Many phishers are swimming in...

Ollie Whitehouse | 06 Jul 2006 07:00:00 GMT | 0 comments

HD Moore and the MetaSploit project havegone to town with their toolbox of fuzzers and insight. They haveunleashed a raft of security vulnerabilities on the world, in majorbrowsers across many different platforms, one a day for an entire month(it is now day five of the Month of Browser Bugs as I write this).

WhileI think it's awesome that HD and the project team have made such aconcerted effort to investigate most of the major sub-systems used intoday's browsers (I don't want to detract from their initiative,motivation, or skill) it should be noted they were not the first totake a look at them, thinking that, aside from ActiveX (for a change)they could be fuzzed with high yield results. Similar methods were usedby the illustrious group at Oulu university in 2001,...

Ollie Whitehouse | 06 Jul 2006 07:00:00 GMT | 0 comments

HD Moore and the MetaSploit project have gone to town with their toolbox of fuzzers and insight. They have unleashed a raft of security vulnerabilities on the world, in major browsers across many different platforms, one a day for an entire month (it is now day five of the Month of Browser Bugs as I write this).

While I think it's awesome that HD and the project team have made such a concerted effort to investigate most of the major sub-systems used in today's browsers (I don't want to detract from their initiative, motivation, or skill) it should be noted they were not the first to take a look at them, thinking that, aside from ActiveX (for a change) they could be fuzzed with high yield results. Similar methods were used by the illustrious group at Oulu university in 2001...

Zulfikar Ramzan | 05 Jul 2006 07:00:00 GMT | 0 comments

With any emerging threat there is an ongoing arms race between those who perpetrate the threats and those who work on eradicating them. We’ve seen this happen with spam, where spammers would try to develop new techniques to get their email to pass through spam filters, and, in turn, anti-spam offerings would take these techniques into account in an effort to better recognize (and eliminate) spam.

Phishing is no different. For example, we recently came across an entire phishing Web site that was built using Macromedia Flash. Macromedia Flash (or, just “Flash”) is a very popular technology used to add animations and interactivity to Web pages (though the technology is not necessarily limited to use within Web pages). If you have ever seen a glitzy Web page with nice animation, chances are that the animation was developed using Flash.

An entire Web page that was built using only Flash could more or less achieve the same functionality as a page developed using more...

David McKinney | 04 Jul 2006 07:00:00 GMT | 0 comments

Cross-site scripting (XSS) is hardly thescourge of the Internet, but at the same time, should it really betrivialized when it affects a widely used service or application?Cross-site scripting (and the broader category of content injectionvulnerabilities) is incredibly prevalent across a wide range ofsoftware, from guestbook programs churned out by weekend warriors, tohousehold names with revenue statements that eclipse the gross nationalproducts of some small countries.

These vulnerabilitiesare so common that most people just wish they would go away. So, if wewant something to go away and we're not willing to expend the time andenergy to develop a real solution, then what alternative do we have? Dowe just pretend that they don't exist? The suggestion is often madethat they aren’t real—nothing to see here—move along.

Some people contend that XSS isn’t a real vulnerability because itcan’t affect security with hosts or end users on its own, or when usedin a product...

Dave Cole | 03 Jul 2006 07:00:00 GMT | 0 comments

Since the early days of e-commerce,businesses have recognized the potential for the Internet to streamlinehow they interact with their customers. Oftentimes this meantdiminishing or eliminating the role of the businesses that were sittingin the middle, brokering the brick and mortar transaction. Goingstraight to the customer with a snazzy online store or auction Web sitecut these middle players (and their costs) out of the mix. This allowedthe business to take back profit margin, offer lower costs, andincrease transaction volume.

The benefits of gettingcloser to the customer haven’t been lost on those who peddle misleadingapplications. Misleading applications are programs that intentionallymisrepresent the security status of a computer by working to convincethe user that he or she must remove risks (usually nonexistent or fake)from the computer. The application will hold the user hostage byrefusing to allow him or her to remove or fix the phantom problemsuntil the “...

Peter Ferrie | 30 Jun 2006 07:00:00 GMT | 0 comments

Things have been pretty interesting here lately. The first virus for Sun Microsystems’ StarOffice appeared, although it wasn't a real virus because it didn't actually work. We also received reports of the first parasitic virus for the .chm (compiled HTML help file) file format, and reports of the first virus that is an IDA plug-in. I say "reports" because we have been told these two viruses exist but we have not received any samples to prove it.

The StarOffice virus just goes to show that virus writers don't test their code. Despite four attempts (represented by the samples that we received; who knows how many others we didn't receive) the virus author still couldn’t seem to work out why his code wasn’t infecting anything. However, hot on the heels of these initial samples was the...

Symantec Security Response | 30 Jun 2006 07:00:00 GMT | 0 comments

We are seeing signs of worm activity over instant messaging (IM) andwanted to warn you not to let your curiosity get the better of you.You’ve heard the saying about curiosity killing the cat, right?

Ina nutshell, IM users are receiving messages that say "check out thesepics of us!", with a link provided in the IM window to either "p1392.pic-myspace .info" or "p1377. pic-myspace .info". When unsuspectingvictims click on the link, thinking that they are going to the MySpaceWeb site, they are instead transported to another Web site at whichpoint a malicious downloader gets installed on the victim's machine.From what we can tell, this particular downloader tries to install abunch of applications, presumably with the intent to earn the site'sowner some commission. While this is probably more of an annoyance thananything else, if you ask me, the good news is that Symantec customershave been protected from this type of attack since December 2005.

At the end of the day, if...